Cybersecurity and Brexit

Last updated 15 July 2020

Relevant policies:

Progress and developments:

  • In October 2016 the UK opened its National Cyber Security Centre, a child organisation of GCHQ. It would naturally fulfil the role of the national cybersecurity authority as required by the Directive.
  • In December 2016 a government report stated:
    Government is separately considering whether additional regulation might be necessary for critical sectors, including in the context of the NIS Directive due to be implemented in 2018 as well as wider national infrastructure considerations….the detailed scope and security requirements for NIS implementation will be set out by Government in 2017, informed by the work of the NCSC and lead Government departments with relevant sectors alongside broader Government consideration of critical infrastructure.”
    Cyber Security Regulation and Incentives Review (pdf), page 12, paragraph 4.10.
  • In August 2017 a consultation opened on the UK implementation of the Directive. It closes on 30 September.
  • In December 2017 the European Scrutiny Committee of the House of Commons fairly blasted Government, and the Minister for Digital, for their lack of insight into post-Brexit cybersecurity arrangements, particularly the European Union Agency for Network and Information Security, given the inherent need for any cybersecurity arrangement to be cross-border and cooperative. They noted, amongst other questions:
    • The FCO expresses concern about prospective EU interference with national operational activities in the field of cybersecurity, whereas DCMS cautions that the Commission’s use of the term “operational” to describe ENISA’s proposed coordinating role in cross-border cybersecurity emergencies does not actually amount to an operational role in the UK usage of the term. What is the Government’s considered view on this aspect of the proposal?
    • Regarding the Brexit implications of the proposal, we ask the Government to provide:
      • a clear account of the means by which third countries currently participate in / cooperate with ENISA, including through the NIS Directive and its supporting institutional arrangements;
      • a fuller account of the anticipated impacts of a shift to third country status for the UK and UK-based operators with regards to the main provisions of the ENISA Regulation and the NIS Directive (e.g., what would the impact be on digital service providers?);
      • an explanation of the Government’s concerns about the potential impact on trade and investment of the proposal for an EU certification framework, and how this might affect the UK when it assumes third country status;
  • A contrite Margot James provided the Committee with the clarification it sought in February 2018, but the Committee retained the proposal under scrutiny.
  • In July 2018 the Committee received another comprehensive briefing from Margot James which provided answers on just how the UK plans to remain part of an international cybersecurity alliance for a system it is leaving. The work continues.
  • In December 2018 DCMS published guidance on the NIS directive for eligible service providers in the event of a “No Deal” Brexit scenario. The guidance is simply jaw-dropping. It suggests that impacted providers spend the three months they have left before Brexit to gather basic information about their main place of establishment in order to determine which representaties they may have to appoint.
  • In December 2018 the ESC disputed Margot James’ claim that the proposed regulation on cybersecurity coordination centres would not apply to the UK during the Brexit transition process.
  • In January 2019 the ESC retained the ENISA proposal under scrutiny, while asking Margot James to explain why she “objects to the conception of the “public core of the open internet”, as defined in a paper by the Global Commission on the Stability of Cyberspace, what practical effects the provision can be anticipated to have, particularly in relation to internet governance, and which provides a justification of how the Government voted.”
  • In March 2019 the Network and Information Systems statutory instrument was introduced. and later updated with No2.
  • In July, the UK delegation was disinvited from an EU cybersecurity meeting discussing Huawei. Naturally, they threw a tantrum about getting what they wanted.
  • In May 2020 the EC clarified which areas of the NIS Directive will, and will not, continue to apply to UK businesses after Brexit.